The browser your team uses every day is quietly collecting a significant amount of data, including browsing history, location, financial details, and more, depending on which browser it is. Research from Surfshark found that Google Chrome collects 20 different types of data on mobile, making it the most data-hungry popular browser on the market. This post explains what that means for your business, what the real risks are, and the practical steps you can take to reduce unnecessary exposure without changing how your team works.
Most business owners think about cybersecurity in terms of firewalls, antivirus software, and email filtering. The browser rarely comes up. It should.
Your browser is the tool your team uses more than almost anything else in the workday. It’s how they access cloud apps, log into business systems, conduct research, communicate with clients, and handle sensitive tasks. It’s also one of the most data-rich applications on any device, and most people have never looked closely at what it collects or where that data goes.
A 2025 study by Surfshark analyzed the data collection practices of the most popular mobile browsers by examining the privacy disclosures published in app stores. What they found should prompt a conversation at most small businesses: the browsers people use most are also the ones that collect the most.
What Popular Browsers Are Actually Collecting
Google Chrome
Chrome is the most widely used browser in the world, and it’s also the most data-hungry among the popular options analyzed.
According to Surfshark’s research, Chrome collects 20 different types of data on mobile. That list includes contact information, browsing history, search history, location data, user content, identifiers, usage data, and diagnostics. Chrome is also the only browser in the study that collects financial information, including payment methods and card details stored in the browser.
Some of that collection is tied to functionality. When you’re signed into Chrome with a Google account, data syncs across devices, which requires the browser to know what you’ve been doing. Google services like Search, Gmail, and Maps are deeply integrated with Chrome and contribute to the overall data picture.
But the scope of what’s collected, and the fact that most users haven’t looked at the details, is worth understanding.
Microsoft Edge
Edge collects fewer data types than Chrome, but it appears in a different category of concern: data shared with third parties.
Research has identified Edge as one of the browsers that collects data used for tracking purposes, which can potentially be sold to data brokers or used for targeted advertising. Edge also collects location data, including approximate and precise location in some configurations, which it shares with third parties.
For businesses running on Microsoft 365, where Edge is often the default browser, this is a relevant detail. The fact that Edge is a Microsoft product doesn’t mean its data collection practices automatically align with enterprise privacy expectations. The default settings and what they permit are worth reviewing.
What the Safest Options Look Like
For context on where the spectrum ends: Brave collects only identifiers and usage data by default, and TOR collects no data at all. Firefox and DuckDuckGo sit in a moderate category, avoiding the most sensitive data collection while still gathering some usage and diagnostic information.
The practical takeaway isn’t that your team needs to switch browsers tomorrow. Chrome and Edge are popular in business environments for good reasons: compatibility, familiarity, integration with other tools. The point is that the default settings in those browsers were not designed with your business’s data minimization interests in mind. They were designed for the browser maker’s.
Why This Matters More Than It Used to
Browsing History Is a Business Profile
A single browsing session doesn’t say much. Six months of browsing history tells a different story.
Over time, a browser’s data trail can reveal the vendors you’re evaluating, the legal or financial questions you’re researching, the competitive intelligence you’re gathering, the health issues affecting your team, and the problems you’re trying to solve in your business. It’s not just a list of websites. It’s a detailed record of what your business is thinking about and doing.
When that data is collected, shared with third parties, and potentially exposed in a breach, it doesn’t just affect the individual employee. It can surface competitive intelligence about your business, expose client interests, or give attackers a map of what your organization cares about.
Browser Data Is a Target in Breaches
IBM’s 2025 reporting found that personal data capable of identifying individual customers was the most commonly compromised type of information in data breaches that year. Browser data and device identifiers are valuable to attackers specifically because they help link online activity to real people and real organizations.
Credentials saved in browsers are also one of the primary targets for infostealer malware, as we covered in a recent post on why MFA enforcement matters. A browser that stores passwords, payment details, and session data across many accounts becomes a high-value target if a device gets compromised.
Browser Extensions Add Another Layer of Risk
The browser itself isn’t the only concern. Extensions installed in Chrome or Edge can carry significant data access permissions, and not all of them are trustworthy.
In late 2025, researchers at Koi Security found that four popular browser extensions, including what appeared to be legitimate VPN and ad-blocking tools, had been harvesting the text of AI conversations from more than 8 million users and transmitting it back to the developers. The extensions were available through the Chrome Web Store and Microsoft Edge Add-ons and collected conversations from ChatGPT, Claude, Copilot, and other AI platforms.
This is an important data point for businesses. If your team is using browser extensions on work devices, those extensions may have broader access than anyone realizes. An extension that requests permission to read page content can, in principle, read everything your browser sees, including content from business applications, AI tools, and logged-in accounts.
Practical Steps to Reduce Your Browser Exposure
None of these steps require your team to abandon their current browser or change how they work in any significant way. They’re about reducing the amount of unnecessary data that leaks out in the background.
Review and Tighten Browser Permissions on Mobile Devices
Start with the app permissions granted to your browser on company phones and tablets. Does it have access to location all the time, or only when the app is in use? Does it have access to your contacts, photos, or files?
Most people granted these permissions during initial setup without paying close attention. A quick review in your device’s settings will show exactly what your browser can access. Anything that isn’t genuinely necessary for how you use the browser can be turned off.
Audit Installed Browser Extensions
Pull up the list of extensions installed in the browsers used on company devices and workstations. For each one, ask: do you know what this does, who made it, and what permissions it has?
Extensions should be limited to tools your team actually needs, from publishers you recognize, with permissions that make sense for their stated function. An ad blocker that requests access to all data on all websites should prompt a closer look. A VPN extension that wants to read page content warrants real scrutiny.
Our managed IT services include reviewing the software and extensions running on managed devices as part of endpoint security management. It’s an area that often surfaces surprises.
Use a Password Manager Instead of Browser-Saved Credentials
Browsers will happily save usernames and passwords for every site you visit. It’s convenient. It’s also a meaningful risk if a device is compromised, because everything saved in the browser becomes accessible.
A dedicated password manager solves this in two ways. First, it removes the need for the browser to store credentials, which reduces what’s available to any malware that might reach the device. Second, it makes it practical to use strong, unique passwords for every account, which limits the damage if one account is ever compromised.
This is a low-friction change that most employees adapt to quickly, and the security improvement is real. Our cybersecurity awareness training covers password manager adoption as part of building better credential hygiene across the team.
Review Sync Settings and Sign-In Behavior
When employees use a browser while signed into their personal Google or Microsoft account, the data collected may sync to that personal account rather than staying on the business device. This creates a situation where business browsing activity lives in a personal account that the business has no control over and can’t remove access from when an employee leaves.
For company devices, it’s worth establishing a clear policy on browser sign-in: either use a business-managed account only, use the browser without signing in, or at minimum understand the distinction between what syncs to a personal account versus what stays local.
Keep Browsers Updated
Browser updates frequently include security patches for vulnerabilities being actively exploited. A browser running two or three versions behind the current release is a meaningful security gap, especially on devices that access business systems.
This sounds obvious, but it’s one of the most commonly overlooked areas in small business environments, particularly on phones and tablets where updates don’t happen automatically unless someone has turned that setting on.
The Browser Is Part of Your Security Posture
Most small businesses spend time thinking about endpoint protection, email filtering, and backup systems. The browser gets less attention, partly because it feels like consumer software rather than business infrastructure.
The data says otherwise. Your browser is the application your team uses to access nearly everything. It collects significant amounts of information about that activity, some of which gets shared with third parties, some of which gets stored in ways that create risk if the device is ever compromised. Browser extensions expand that surface further, and not all of them deserve the access they request.
Getting deliberate about browser configuration and permissions doesn’t require a major project. It requires a review, a few decisions, and a clear policy for managed devices going forward.
If you’d like help reviewing your team’s browser security posture as part of a broader security assessment, reach out to the Z-JAK team. We work with small and mid-sized businesses across Louisville to make sure the whole environment is covered, not just the obvious parts.
Frequently Asked Questions
Does it matter which browser my employees use on company devices?
Yes. Different browsers collect different amounts of data and share it with different parties. Chrome and Edge are the most commonly used in business environments, and both collect significant amounts of data by default. This doesn’t make them unsafe for business use, but it does mean the default settings aren’t optimized for data minimization. Reviewing and tightening those settings is worth the time.
Are browser extensions a real security risk for small businesses?
They can be. Extensions often request broad permissions to read page content and access account data, and not all extensions are trustworthy even if they appear legitimate in browser stores. In late 2025, researchers found that several popular extensions had been harvesting AI conversations from millions of users and transmitting them to third parties. Limiting extensions to well-known, necessary tools and reviewing their permissions regularly is a practical risk reduction step.
Is it a problem if employees use their personal browser account on a work device?
It can create governance complications. When browsing activity syncs to a personal account, business data can flow into a personal account that the business has no visibility into or control over. If an employee leaves, that data doesn’t come back. Establishing a clear policy on browser sign-in behavior for company devices is a straightforward way to address this.
Should we switch away from Chrome or Edge to protect privacy?
Not necessarily. Both browsers work well in business environments and integrate with tools most businesses already use. The goal isn’t to replace them but to configure them more deliberately. Reviewing permissions, auditing extensions, using a password manager for credentials instead of the browser, and keeping browsers updated are practical steps that meaningfully reduce exposure without requiring a change in tools.
How does browser privacy connect to our overall cybersecurity posture?
Your browser is the application through which your team accesses cloud apps, business systems, client information, and sensitive data every day. If the browser is collecting and sharing more data than necessary, storing credentials in ways that create risk, or running extensions with broad permissions, those are real gaps in your overall security posture. Browser security should be part of any endpoint security review, not treated as a separate consumer concern.
Ready to Take a Closer Look at Your Business’s Security Posture?
Browser privacy is one piece of a larger picture. The businesses that handle it well are the ones that take a deliberate look at the full environment, including the tools employees use every day, not just the obvious infrastructure. If you’d like a practical security assessment that covers the gaps most businesses don’t think to check, get in touch with our team today. We’re happy to start with a conversation about what matters most for your business.